Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Password Generator Tool Breaks Petya Ransomware Encryption

Researchers have cobbled together a decryption tool for victims of the Petya ransomware, allowing most users to generate keys in less than 10 seconds.

Researchers have been combing through code related to the Petya ransomware long enough they’ve been able to cobble together a decryption tool that should allow most victims to generate keys in less than 10 seconds.

A Twitter user who goes by the handle @leostone came up with a genetic algorithm on Friday to generate passwords and subsequently put together a site to help victims generate keys.

Hurray!!! Its official, the found key is working!!!I'll update the github with the genetic version, keys will be found in less than a min:)

Users can generate a decryption key, providing they can supply the tool with information from their infected drive.

While this can be a fickle task for the average user, Fabian Wosar, a security researcher at Emsisoft, created an executable over the weekend designed to extract data from infected Petya drives and expedite the process.

Lawrence Abrams, a computer forensics expert who blogs at BleepingComputer.com and has been following the ransomware’s saga, put together a guide on how to use the tool Sunday.

Abrams claims the tool scans the affected drive for the Petya bootcode, automatically selects it, and gives users the option to copy both the sector, and nonce associated with it.

With that information – a Base64-encoded 512 bytes verification data and a Base64-encoded 8 bytes nonce – victims can navigate to @leostone’s site, copy and paste, and generate a password.

Users still have to physically remove the drive from the infected machine and attach it to either a Windows machine or a USB drive docking station, but instead of having to hunt around for the correct code, Wosar’s tool does the job for users.

With the password users should be able to reconnect their drive, fire up their machine, and enter the password to decrypt their drive.

Researchers have been looking into Petya, a strain of ransomware that targets infected machine’s master boot records, since it emerged late last month. Until now, the only option for users who had their MBR encrypted was to fork over roughly $400 in Bitcoin for the decryption key.

While little is known about @leostone, he did explain the impetus of his algorithm on Github, acknowledging that he was prompted to look into the ransomware after his father in law was infected.

Abrams told Threatpost on Monday that while he hasn’t heard of any success stories outside the security community, he was able to decrypt a Petya-infected test machine of his own using the steps in just seven seconds. While both the algorithm and the tool are encouraging, Abrams admits that it may only be a matter of time before the criminals behind Petya catch on to the tool and bulk up the encryption behind the ransomware.

“I feel this ransomware is too “innovative” to fall by the way side,” Abrams said via email, “My guess is that they will fix the vulnerability and push out a newer version with stronger encryption.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.